Cybersecurity Architecture Approaches Overview - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Thursday, December 15, 2022

Cybersecurity Architecture Approaches Overview

This post summarizs some popular practical security architecture designs / concepts from different security vendors. 

[Cybersecurity Architecture] 

Top Modern Cyber Threats

1. Ransomware (a form of malware): Staff awareness, Malware protection, Software Updates, Data Backups
2. Phishing: Staff awareness, Malware protection, Emal protection
3. Data leakage: Password policy, Endpoint security, IoT
4. Hacking: Staff awareness, Periemeter protection (Network firewall), data access security, remote access security
5. Insder threat: Staff awareness, data access securty, monitoring and alerting, Endpoint security (usb, portable devices, etc)

6. Cloud Security
7. Social engineering attack
8. Social Meda threats
9. Advanced persistent threats
10. Unpatched software threats

STRIDE Model for identifying computer security threats.

ThreatDesired property
Information disclosureConfidentiality
Denial of serviceAvailability
Elevation of privilegeAuthorization
Each threat is a violation of a desirable property for a system:

Check Point Infinity - A Practical Holistic Approach - Consolidated Security Architecture

Check Point Infinity is the first modern, consolidated, cyber security architecture built to prevent sophisticated Fifth Generation attacks across networks, cloud deployments, endpoints, mobile and IoT devices. Check Point’s entire portfolio of security solutions can be managed through a single pane of glass and adheres to all seven Zero Trust principles. Check Point ThreatCloud, the world’s largest cyber threat intelligence database, leverages AI and powers the dozens of threat prevention engines employed by Infinity.

A consolidated security architecture is a multi-layered approach to cyber security that protects all IT attack surfaces – networks, cloud, endpoints, mobile and IoT devices – sharing the same threat prevention technologies, management services, and threat intelligence. A consolidated security architecture is designed to resolve the complexities of growing connectivity and inefficient security. It provides complete threat prevention which seals security gaps, enables automatic, immediate threat intelligence sharing across all security environments, and a unified security management platform for an efficient security operation. Ultimately, a consolidated security architecture improves the overall security of an enterprise.

Check Point offers solutions for all of an organization’s security needs, including:

  • Network Security: Check Point Quantum
  • IoT Security: Check Point Quantum IoT Protect
  • Cloud Security: Check Point CloudGuard
  • Application Security: Check Point CloudGuard AppSec
  • Endpoint Security: Check Point Harmony Endpoint
  • Mobile Security: Check Point Harmony Mobile

ISACA Top-Down Approach

Enterprise Security Architecture—A Top-down Approach

Using the Frameworks to Develop an Enterprise Security Architecture

The fair question is always, “Where should the enterprise start?”

If one looks at these frameworks, the process is quite clear. This must be a top-down approach—start by looking at the business goals, objectives and vision.

The initial steps of a simplified Agile approach to initiate an enterprise security architecture program are:

  • Identify business objectives, goals and strategy
  • Identify business attributes that are required to achieve those goals
  • Identify all the risk associated with the attributes that can prevent a business from achieving its goals
  • Identify the required controls to manage the risk
  • Define a program to design and implement those controls:
    • Define conceptual architecture for business risk:
      • Governance, policy and domain architecture
      • Operational risk management architecture
      • Information architecture
      • Certificate management architecture
      • Access control architecture
      • Incident response architecture
      • Application security architecture
      • Web services architecture
      • Communication security architecture
    • Define physical architecture and map with conceptual architecture:
      • Platform security
      • Hardware security
      • Network security
      • Operating system security
      • File security
      • Database security, practices and procedures
    • Define component architecture and map with physical architecture:
      • Security standards (e.g., US National Institute of Standards and Technology [NIST], ISO)
      • Security products and tools (e.g., antivirus [AV], virtual private network [VPN], firewall, wireless security, vulnerability scanner)
      • Web services security (e.g., HTTP/HTTPS protocol, application program interface [API], web application firewall [WAF])
    • Define operational architecture:
      • Implementation guides
      • Administrations
      • Configuration/patch management
      • Monitoring
      • Logging
      • Pen testing
      • Access management
      • Change management
      • Forensics, etc.

It is that simple. After all risk is identified and assessed, then the enterprise can start designing architecture components, such as policies, user awareness, network, applications and servers.

Figure 6 depicts the simplified Agile approach to initiate an enterprise security architecture program.

Figure 6

Using these frameworks can result in a successful security architecture that is aligned with business needs:

  • COBIT principles and enablers provide best practices and guidance on business alignment, maximum delivery and benefits.
  • The COBIT Process Assessment Model (PAM) provides a complete view of requirement processes and controls for enterprise-grade security architecture.
  • SABSA layers and framework create and define a top-down architecture for every requirement, control and process available in COBIT.
  • The TOGAF framework is useful for defining the architecture goals, benefits and vision, and setting up and implementing projects to reach those goals.
  • The CMMI model is useful for providing a level of visibility for management and the architecture board, and for reporting the maturity of the architecture over time.

Three Phases Approach 

Security architects tailor their security approach to best fit their organization and sector, keeping in mind the risk calculations. Most plans have 3 common elements:
  • Phase 1 Develop Policies, Standards, and Best Practices
  • Phase 2 Implementation of Phase 1
  • Phase 3 Monitoring of Phases 1 and 2

Learning about these phases helps everyone understand on a deeper level how security architecture works and why it’s so important.

phases of cybersecurity architecture

Phase 1 Developing an Organization’s Policies, Standards, and Best Practices

Security architects develop their organizational policies, standards, and best practices based on frameworks. These frameworks give guidelines like ‘sensitive data must be encrypted.’ However, there’s no indication of the encryption strength. 

Back to the museum analogy: the framework would suggest that all objects worth between $2 to $3 million need “high security.” It's then up to the museum to decide how to define its high security.

Common frameworks include ISO 27001 for information security, NIST Cybersecurity Framework addressing threats and supporting business, and OWASP Top Ten for web application security.

After a company has developed and implemented the framework, it can take a step toward official certification. When they pass the audit, their customers are assured of the organization's level of safety. Over time, changes occur as the security architect adapts systems to stay secure and maintain the certifications.

For some frameworks, cybersecurity staff training is required. It’s an important step because the training helps ensure employees understand their responsibilities and supports maintaining security in the organization. When an organization fails to train, the certification and customer trust are at risk.

A nerdy note: A standard defines thresholds for compliance, and frameworks offer guidelines. But you’ll often find frameworks referred to as company standards.

Phase 2 Using the Building Blocks of Security and Applying Design Concepts

Once security architects define the organization’s policies and standards, the development teams design and implement the software. This stage applies these requirements and principles at the building block level. 

Many organizations apply a principle called "Security by Design." This involves designing and implementing software components with built-in security controls, ensuring each part of the system is protected against attack. In a way, it’s like building something block by block with Lego. The developers design and construct various building blocks of code to include required security measures relevant to their functionality. When the finished solution is assembled, they have already accounted for many potential security issues.

For example, when considering an app, the cybersecurity architects write the safety rules for authentication and authorization. Such rules may include “Block users who repeatedly enter the wrong password” or “Always check if a user is logged in before giving them access to data.” The developers apply the rules as they make the building blocks. Then they use these existing blocks in other parts of the app, knowing they adhere to the security principles. Finally assembled, the blocks make a secure and robust application.

Phase 3 Monitoring for Changes, Updates, and Implementation

Security architects monitor their systems. They watch to ensure that standards are met, update these standards for new technologies, and keep track of exceptions.

Looking back at our museum building metaphor:

  • Phase 1: The architects decide what safety features the building needs.
  • Phase 2: The builders bring in raw materials and construct the walls.
  • Phase 3: The building inspectors come back to check that the building is safe.

In other words, the security architects monitor phases 1 and 2 to ensure they meet their standards.

In addition, the security architects keep an eye on the list of existing issues that need to be fixed, also called technical debt. Old technologies provide much more surface exposure and are vulnerable to attack. Once or twice a year, a company-wide risk assessment for cyber defense should take place. This helps security architects consider costs and risks and then adapt accordingly. 



Security architecture is highly manual in most organization, which means Time-intensive, and little automation. 

Analytic Tools: current state, risk, and threat analysis (gap analysis)

- effectiveness : Do security measures currently exist? 
    Baseline: ISO/IEC 27001:2013 Annex A
    NIST SP 800-53
    COBIT 5 processes
- Maturity : Are security process reliable and resilient?
    CMMI : Maturity or capbility - Process implementation
    CMMC : Technical and maturity evaluation
- Efficiency : Are the security resources used optimally?
    Economic modeling tools:
        Understand the cost of each control

Threat modeling Tools
    OWASP Threat Dragon 
            Open Source
            Create and document threat models
            Help automate: Data flow diagram, STRIDE analysis
    Trike (
            Open Source
            Lightweight tool for creating and documenting threat models
            Helps automate Documenation of actors, data, interactions
    Microsoft Threat Modeling Tool

Risk frameworks
    NIST 800-30
    ISACA Risk IT Framework
    ISO/IEC 31010:2009
    Factor Analysis of Information Risk

Gap AnalysisTools: 
1. Eramba (
    GRC Platform
    Helps automate : Gap analysis (Effectiveness, maturity) & Risk analysis
2. TCO Tool (
    Open Source
    Tool for modeling total cost of ownership
    Helps automate: Gap analysis (efficiency)

Risk Modeling Tool:
    Open Group FAIR tool (
        evaluation license (90 days)
        tool for doing probability-based risk assessments
        help automate Risk analysis using open FAIR

Informational Tools: Data gathering and metrics

    KPIs (Key Performance Indicators)
    KRIs (Key Risk Indicators)

Tools: Metrics
Grafana (
    Commercial & Community version Dashboard creation tool
    Allows you to create graphs of pretty much anything
    Can be used to collect operational metrics and with reporting

Tools: Inventorying
OCS Inventory (
    Open Source inventory management tool
    Help automate: Inventory of VMs, assets, containers
    Data collection and discovery

Tool: Network management
    Open source network management tool
    Help automate : Data collection for network devices, reproting and analysis

Tool: Reference
NIST CSF Reference Tool
    Public Domain
    Help automate : correlation of gap analysis with gathered metrics

Design Tools: Documentation and modeling

Tool: Architecture modeling
Archi (
    Open source diagramming and modeling tool
    Helps automate: creationof ArchiMate diagrams

Tool: UML (and ArchiMate) modeling
Modelio (
    Open Source
    Unified modeling language (UML)
    ArchiMate / TOGAF
    Numberous others

Tool: Mind Mapping
 Free mind (

Tool: Embedded systems modeling

  1. In one week, 
    1. Examine security architecture process to find inefficiencies
    2. Begin thinking through how to improve
  2. In the first three months you should
    1. Adapt architecture process to include automation
    2. Where possible and leverage free tools to assist
  3. Within six months you should
    1. Begin to collect metrics of architecture process performance
    2. Analyze metrics to find areas for further refinement

MCRA (Microsoft Cybersecurity Reference Architectures)

The Microsoft Cybersecurity Reference Architectures (MCRA) describe Microsoft’s cybersecurity capabilities. The diagrams describe how Microsoft security capabilities integrate with Microsoft platforms and 3rd party platforms like Microsoft 365, Microsoft Azure, 3rd party apps like ServiceNow and salesforce, and 3rd party platforms like Amazon Web Services (AWS) and Google Cloud Platform (GCP).

The reference architectures are primarily composed of detailed technical diagrams on Microsoft cybersecurity capabilities, zero trust user access, security operations, operational technology (OT), multi-cloud and cross-platform capabilities, attack chain coverage, azure native security controls, and security organizational functions.

Microsoft Cybersecurity Reference Architecture - Page 1

The MCRA also includes an overview of Zero Trust and a Zero Trust rapid modernization plan (RaMP). Additionally, this includes other key information on security operations and key initiatives like protecting from human operated ransomware, securing privileged access, moving beyond VPN, and more.

Microsoft Cybersecurity Reference Architecture - Page 2

For Zero Trust:

Recommended content


No comments:

Post a Comment